-----------------------------------------------------------------
Carrefour
Vulnerability Disclosure Policy
-----------------------------------------------------------------

Vulnerability Disclosure Program Policy

Responsible Disclosure

At Carrefour we greatly appreciate the support of cybersecurity researchers and members of the community in assisting us to maintain our IT security posture.

If you identify a security vulnerability relating to any of our websites please notify us promptly before disclosing the vulnerability to any external entity, allowing us to have enough time to take the necessary measures. This is what we called "responsible disclosure".

Please keep all information relating to the vulnerability secret from all third parties without any limitation in time.

How do you notify us?

If you have identified a security vulnerability, please proceed as follows:

• Send us your notification as soon as possible via email to voc@carrefour.com.
• Include the following information in your report:
  • The type of vulnerability discovered.
  • The service/application impacted by the vulnerability.
  • A detailed description of the vulnerability discovered alongwith any useful information (e.g. screenshots, images, text files, etc.).

Please use this public PGP key to encrypt the email and prevent unauthorized users from accessing the information.

Please keep in mind that supplying your contact information along with your report is entirely voluntary and at your discretion. If you submit your contact information, Carrefour will only use such information to get in touch with you in order to clarify the details of your report if necessary.

Reporting a vulnerability

By making a report to Carrefour regarding vulnerabilities, errors and others flaws, you agree the following terms:

Carrefour may use your report for any relevant purpose, including but not limited to the purpose of correcting any flaw that is reported which require correction. Carrefour will have all use and ownership rights of any changes and/or improvements proposed in such reports.

You confirm to Carrefour that:

• You have not exploited nor used in any manner, and will not exploit nor use in any manner the discovered vulnerabilities, error and/or flaws, other than for the purposes of reporting;
• You have not engaged, and will not engage, in testing/research of systems with the aim of harming Carrefour;
• You have not used, misused, deleted, altered or destroyed, and will not use, misuse, delete, alter or destroy, any data that you have accessed or may be able to access in relation to the vulnerability and/or error discovered;
• You have not tested, and will not test, the physical security of any property, building, store or facility of Carrefour;
• You agree that you are making your report without any expectation or requirement of reward or other benefit, financial or otherwise, for making such a report, and without any expectation or requirement that the vulnerabilities and/or errors reported are corrected by Carrefour.

Examples of vulnerabilities we will consider.

• Injection and deserialization vulnerabilities (e.g. NoSQL, SQL, LDAP injection, Code injection, command injection, object deserialization);
• Broken authentication and broken access control vulnerabilities (e.g. incorrect implementation of authentication, access control, session management, etc.);
• Sensitive data exposure;
• Cross-site scripting vulnerabilities;
• Cross-site request forgeries;
• Server-side request forgeries;
• Redirect vulnerabilities;
• Underprotected API (API abuse, API misconfigurations, etc.).

Examples of vulnerabilities we will not consider.

We continuously monitor our internet-faced assets to identify security issues and misconfiguration, and we therefore kindly ask that you avoid reporting the following items if they don't lead to an actual exploitation:

• Weak configurations of the TLS protocol.
• Non-compliance with best practices (e.g. SPF/DKIM/DMARC configuration, TLS misconfigurations, etc.).
• Output of well-known automated tools/solutions.

How will we respond?

If you report a vulnerability relating to any of our websites, we will process your report as follows:

• We will confirm receipt of your report within three (3) business days.
• We will treat your report as confidential and will not share your details with third parties.
• We are not running a reward program for reporting vulnerabilities. You agree that you are making your report without any expectation or requirement of reward or other benefit, financial or otherwise.